Google Associate Cloud Engineer
Get started today
Ultimate access to all questions.
Ultimate access to all questions.
As the maintainer of Service Accounts for a Logistics application spread across multiple projects, you need to enable VMs in the web-applications project to access activity data stored in a BigQuery dataset within the em-databases-app project. According to Google's recommended practices, how should you configure access for the service accounts?
Explanation:
Option A is incorrect because IAM roles are assigned to users and service accounts, not projects. Granting the project owner role to web-applications does not ensure the service account in web-applications can access the BigQuery dataset in em-databases-app. The project owner role only allows managing the project, not accessing resources in other projects.
Option B is incorrect because the project owner role is too broad. It grants full control over both projects but does not specifically allow the service account in web-applications to access the BigQuery dataset in em-databases-app.
Option C is incorrect because assigning the project owner role to em-databases-app and the bigquery.dataViewer role to web-applications does not grant the service account in web-applications access to the dataset in em-databases-app. The bigquery.dataViewer role only permits viewing data in BigQuery, not accessing datasets in other projects.
Option D is correct because assigning the bigquery.dataViewer role to em-databases-app ensures the service account there can view the dataset. Granting appropriate roles to web-applications ensures its service account can also access the dataset, adhering to Google's principle of least privilege by providing only necessary read access.